Add a bit to Opaque Responses to distinguish redirects #79
Comments
|
You can observe redirects with It seems safer however to use |
|
Forcing another set of RTT's to get just the single bit of data (that it was a redirect) is pretty bad, particularly in the cases where it might be a POST or non-idempotent operation. |
|
What I'm saying is that you would always use What I'm wondering is why you would suddenly care about this when you get to a response while you don't care about it when making a request. What kind of scenario that helps. |
|
No, I understand what you were saying; I don't think it's easy or reasonable. There are many systems that legitimately have redirects for "own content" but have off-origin redirects for navigation exfiltration; i.e. a secure open redirector to filter out referrer information. |
|
Sure, but in that scenario you simply would not cache opaque responses. |
|
The problem is that some sites are likely to install a SW that caches all
requests it sees.
|
|
Sure, but that's also a problem without redirects... |
|
why is it a problem without redirects? in what other case would a cached in this case it seems dangerous since most websites have open redirects, so |
|
Well, in that case you can already figure out you're redirected right? Since for "cors" responses you can just check their url. |
|
The argument goes as follows:
When developers code these SW, it's not expected for them to have to check |
|
Right, I understand the attack, don't worry, but if you look at OP it's suggesting to add a bit so you can figure out if the response is a redirect. You can already do this in most cases and if you don't want redirects to be followed you can accomplish that too, as I pointed out. It seems you want something else. It would help if you stated what you want. |
|
Oh, I thought that the bit in the Request would be part of the algorithm
for Cache.match(), but reading this once again, it seems like this is a bit
in the response..
|
|
We could certainly add restrictions to the Cache API, but this repository is about |
|
Right, that makes sense. It seems the OP is about making something like a
Request. makeAllCrossOriginRedirectsOpaque=true;
Which is a new idea for mitigating this, and I had assumed it was the
Cache.match one :-).
|
|
I'm pretty sure OP wants |
|
An opaque response wouldn't be renderable, which would mitigate at least
the XSS risk. It would still be possible to cache JS/Images, etc but they
are usually not dangerous (one exception would be shared workers, but they
can't be installed cross-origin).
|
|
Why would you prefer making responses opaque over simply getting a network error? Or getting a "opaqueredirect" response when you're redirected? |
|
The attack demo isn't working (not https) so here's what I think the attack is, if I'm wrong, the rest of my post is nonsense.
If this response contains script, it's running on the good-site origin. If that's the attack, I don't see how a "this came from a redirect" bit can help, as this information is already in Disallowing cross-origin CORS responses in response to "same-origin" navigation requests would help mitigate the navigation case. @annevk - we were trying to think of why we might need this restriction. Another possibility (although I'm not sure we need it) is a redirect mode of "follow-same-origin". |
This would require blocking synthetic responses for "same-origin" requests as well, right? Its trivial to convert a CORS response into a synthetic response. |
Wait, how did you end up here from where you started? Does in this scenario the service worker override the default of not following redirects? Doesn't make much sense to me. |
Can you explain how this is different from setting mode to "same-origin" and redirect mode to "follow"? |
This was resolved in IRC, but for the record: The bad stuff goes into the cache via a cors request, and comes back out via a client request. The cache would end up with an entry where the key was "good site" and the value was "bad site". Then when the navigation happens, the "bad site" entry is pulled out.
I thought @slightlyoff was wanting to retain "legitimate" redirects. #79 (comment) |
|
There's a further question on whether we should allow entries in the cache where |
Sure, but how is your proposal different in terms of processing from what I wrote?
As I said elsewhere, this is getting into nutty territory and doesn't defend against same-origin -> cross-origin -> same-origin. Also, even if we solve this for navigation, that still leaves all other cases open, so I don't think that makes much sense. |
What other code-executing cases are we worried about? |
|
Hmm, maybe that is the only vector. Would be good if @sirdarckcat could confirm. Perhaps the Cache API should return a network error if the input request has redirect mode not set to "follow" and the response is the result of a redirect. |
|
The PoC in http://sirdarckcat.blogspot.de/2015/05/service-workers-secure-open-redirect.html should work (it's non-HTTPS but the iframe is SSL). I can imagine a couple other possible attacks, but they depend on how the Cache.match algorithm behaves, which IMHO is where we should fix this. |
|
@sirdarckcat you keep mentioning the match algorithm, but you stop at the point of explaining how you'd fix it there. Per the model I suggested in my previous comment? |
|
Sorry, I probably should stop responding on my phone :) Yes, your solution sounds reasonable, but may not be future-proof. I think this will also become a problem: And has nothing to do with Cache API, however, exploiting that would require a mechanism for me to create a cors-enabled navigational request, which AFAIK is impossible today (but might become possible in the future, one imaginary use-case could be to enable cross-origin seamless iframes, for example, although it's a strawman argument since seamless iframes are long gone crbug.com/229421) |
|
You would expect that due to the presence of seamless the request would go through the parent's service worker? It's still not clear to me how you'd exploit that though. The "cors" bit would only be used to allow seamless, not share a script environment. |
|
So we're going to add We're also going to add a check to 3.3 of HTTP fetch. See w3c/ServiceWorker#737 (comment) for details. |
|
The way the specification is written doesn't actually solve this issue as |
|
We don't need the script exposed getter to return true to solve the original poster's issue. With the currently spec'd and implemented solution the linked exploit no longer works. You get a network error page because respondWith() fails due to the state of the internal redirected flag. |
|
Mkay. I guess if someone feels strongly about this they should open a new issue. |
|
chromium bug: https://crbug.com/669363 |
(apologies if this is a dupe)
@sirdarckcat has brought up an issue (documented here: http://sirdarckcat.blogspot.de/2015/05/service-workers-secure-open-redirect.html ) that seems like it'd be mostly solved through the addition of a single bit to Response objects which notes if the content is the result of a redirect.
At the webappsec f2f today in Berlin, the group there seems to agree that exposing this bit on Responses doesn't leak any new information; it's observable via CSP + iframes already.
/cc @jakearchibald @jungkees @annevk @metromoxie @hillbrad
The text was updated successfully, but these errors were encountered: